Package: gpgv Version: 2.1.17-2 Severity: important For some reason, gpgv fails to verify a file that verifies properly with gpg -v:
$ dget https://mentors.debian.net/debian/pool/main/d/dnsdiag/dnsdiag_1.4.0-1.dsc dget: retrieving https://mentors.debian.net/debian/pool/main/d/dnsdiag/dnsdiag_1.4.0-1.dsc % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1489 100 1489 0 0 2534 0 --:--:-- --:--:-- --:--:-- 2532 dget: using existing dnsdiag_1.4.0.orig.tar.gz dget: using existing dnsdiag_1.4.0-1.debian.tar.xz dnsdiag_1.4.0-1.dsc: Good signature found validating dnsdiag_1.4.0.orig.tar.gz validating dnsdiag_1.4.0-1.debian.tar.xz All files validated successfully. gpgv: Signature made Sun Jan 15 08:40:29 2017 EST gpgv: using RSA key A3200222CEE5D1A5 gpgv: Can't check signature: No public key dpkg-source: warning: failed to verify signature on ./dnsdiag_1.4.0-1.dsc dpkg-source: info: extracting dnsdiag in dnsdiag-1.4.0 dpkg-source: error: unpack target exists: dnsdiag-1.4.0 I can reproduce this with gpgv directly: $ gpgv dnsdiag_1.4.0-1.dsc gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/anarcat/.gnupg/trustedkeys.kbx': General error gpgv: Signature made Sun Jan 15 08:40:29 2017 EST gpgv: using RSA key A3200222CEE5D1A5 gpgv: Can't check signature: No public key It seems there's a problem with some kbx file. Oddly enough, gpg2 doesn't have that problem: $ gpg -v dnsdiag*dsc gpg: armor header: Hash: SHA256 gpg: original file name='' gpg: dnsdiag_1.4.0-1.dsc: unknown suffix Enter new filename: a gpg: Signature made Sun Jan 15 08:40:29 2017 EST gpg: using RSA key A3200222CEE5D1A5 gpg: using subkey A3200222CEE5D1A5 instead of primary key 95146A1CBA141817 gpg: using pgp trust model gpg: Good signature from "Ana Custura (These are not the hammer.) <a...@netstat.org.uk>" [unknown] gpg: aka "Ana Custura <a.cust...@abdn.ac.uk>" [unknown] gpg: aka "[jpeg image of size 3963]" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 0D35 E41F 0844 4E72 C1CC C3FF 9514 6A1C BA14 1817 Subkey fingerprint: 6A1F DFE3 2457 47F6 E3D9 49A6 A320 0222 CEE5 D1A5 gpg: textmode signature, digest algorithm SHA256, key algorithm rsa2048 ie. it doesn't give the warning about the kbx file. Now, there's a warning that the key is not trusted, but that's fine - i want gpg to verify the file's integriy, and i TOFU the key... But dpkg-source gives me a definite warning that it can't verify the file's content: dpkg-source: warning: failed to verify signature on ./dnsdiag_1.4.0-1.dsc That's bad! It means I need to use the `-u` flag to dget, it breaks the trust path to the developr. I tried verifying the key with the gnupg1 package, which works, but that doesn't ship with a gpgv binary anymore, so I can't use that gpgv either. I wonder if this should be marked as 'grave' because it fails to verify valid signatures, but since this is a corner case, I figured i would stick with 'important'. Thanks for the feedback, A. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages gpgv depends on: ii libbz2-1.0 1.0.6-8 ii libc6 2.24-8 ii libgcrypt20 1.7.5-2 ii libgpg-error0 1.26-1 ii zlib1g 1:1.2.8.dfsg-4 gpgv recommends no packages. Versions of packages gpgv suggests: ii gnupg 2.1.17-2 -- no debconf information
